<!doctype html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<title></title>
	<link rel="stylesheet" type="text/css" href="http://paranoid.net.cn/semantic.css" >
</head>
<body>
<section-title-en>5.1 SGX Physical Memory Organization</section-title-en>
<section-title-ch>5.1 SGX物理存储器组织</section-title-ch>

<p-en>
	The enclaves' code and data is stored in Processor Reserved Memory (PRM), which is a subset of DRAM that cannot be directly accessed by other software, including system software and SMM code. The CPU's integrated memory controllers (§2.9.3) also reject DMA transfers targeting the PRM, thus protecting it from access by other peripherals.
</p-en>
<p-ch>
	飞地的代码和数据存储在处理器保留内存（PRM）中，PRM是DRAM的一个子集，其他软件包括系统软件和SMM代码不能直接访问。CPU的集成内存控制器(§2.9.3)也拒绝以PRM为目标的DMA传输，从而保护它不被其他外设访问。
</p-ch>
<p-en>
	The PRM is a continuous range of memory whose bounds are configured using a base and a mask register with the same semantics as a variable memory type range (§2.11.4). Therefore, the PRM's size must be an integer power of two, and its start address must be aligned to the same power of two. Due to these restrictions, checking if an address belongs to the PRM can be done very cheaply in hardware, using the circuit outlined in §2.11.4.
</p-en>
<p-ch>
	PRM 是一个连续的内存范围，它的边界是用一个基数和一个掩码寄存器配置的，其语义与可变内存类型范围相同（§2.11.4）。因此，PRM的大小必须是二的整数次幂，它的起始地址必须对齐二的同样次幂。由于这些限制，使用 §2.11.4 中概述的电路，可以在硬件中非常廉价地检查一个地址是否属于 PRM。
</p-ch>
<p-en>
	The SDM does not describe the PRM and the PRM range registers (PRMRR). These concepts are documented in the SGX manuals [95, 99] and in one of the SGX papers [139]. Therefore, the PRM is a micro-architectural detail that might change in future implementations of SGX. Our security analysis of SGX relies on implementation details surrounding the PRM, and will have to be re-evaluated for SGX future implementations.
</p-en>
<p-ch>
	SDM没有描述PRM和PRM范围寄存器(PRMRR)，这些概念在SGX手册[95，99]和SGX论文[139]中都有记载。因此，PRM是一个微架构细节，在SGX的未来实现中可能会改变。我们对SGX的安全分析依赖于围绕PRM的实现细节，并且必须对SGX未来的实现进行重新评估。
</p-ch>
<subsection-title-en>5.1.1 The Enclave Page Cache (EPC)</subsection-title-en>
<subsection-title-ch>5.1.1 飞地页面缓存(EPC)</subsection-title-ch>

<p-en>
	The contents of enclaves and the associated data structures are stored in the Enclave Page Cache (EPC), which is a subset of the PRM, as shown in Figure 60.
</p-en>
<p-ch>
	飞地的内容和相关的数据结构存储在飞地页缓存（Enclave Page Cache，EPC）中，EPC是PRM的一个子集，如图60所示。
</p-ch>
<img src="fig.60.jpg" width="" height="" alt="" />
<p-en>
	Figure 60: Enclave data is stored into the EPC, which is a subset of the PRM. The PRM is a contiguous range of DRAM that cannot be accessed by system software or peripherals.
</p-en>
<p-ch>
	图60：飞地数据存储在EPC中，EPC是PRM的一个子集。PRM是一个连续的DRAM范围，系统软件或外围设备无法访问。
</p-ch>
<p-en>
	The SGX design supports having multiple enclaves on a system at the same time, which is a necessity in multi-process environments. This is achieved by having the EPC split into 4 KB pages that can be assigned to different enclaves. The EPC uses the same page size as the architecture's address translation feature (§2.5). This is not a coincidence, as future sections will reveal that the SGX implementation is tightly coupled with the address translation implementation.
</p-en>
<p-ch>
	SGX设计支持在一个系统上同时拥有多个飞地，这在多进程环境中是必要的。这是通过将EPC分割成4 KB页面来实现的，这些页面可以分配给不同的飞地。EPC使用的页面大小与架构的地址转换功能相同（§2.5）。这并不是一个巧合，因为未来的章节将揭示SGX实现与地址转换实现紧密耦合。
</p-ch>
<p-en>
	The EPC is managed by the same system software that manages the rest of the computer's physical memory. The system software, which can be a hypervisor or an OS kernel, uses SGX instructions to allocate unused pages to enclaves, and to free previously allocated EPC pages. The system software is expected to expose enclave creation and management services to application software.
</p-en>
<p-ch>
	EPC由管理计算机其他物理内存的同一系统软件管理。系统软件可以是管理程序或操作系统内核，使用SGX指令将未使用的页面分配给飞地，并释放以前分配的EPC页面。系统软件被期望向应用软件提供飞地创建和管理服务。
</p-ch>
<p-en>
	Non-enclave software cannot directly access the EPC, as it is contained in the PRM. This restriction plays a key role in SGX's enclave isolation guarantees, but creates an obstacle when the system software needs to load the initial code and data into a newly created enclave. The SGX design solves this problem by having the instructions that allocate an EPC page to an enclave also initialize the page. Most EPC pages are initialized by copying data from a non-PRM memory page.
</p-en>
<p-ch>
	非飞地软件不能直接访问EPC，因为它包含在PRM中。这种限制在SGX的飞地隔离保证中起到了关键作用，但当系统软件需要将初始代码和数据加载到新创建的飞地中时，就会产生障碍。SGX的设计解决了这个问题，让分配EPC页给飞地的指令也初始化该页。大多数EPC页是通过从非PRM内存页中复制数据来初始化的。
</p-ch>
<subsection-title-en>5.1.2 The Enclave Page Cache Map (EPCM)</subsection-title-en>
<subsection-title-ch>5.1.2 飞地页面缓存图（EPCM）</subsection-title-ch>

<p-en>
	The SGX design expects the system software to allocate the EPC pages to enclaves. However, as the system software is not trusted, SGX processors check the correctness of the system software's allocation decisions, and refuse to perform any action that would compromise SGX's security guarantees. For example, if the system software attempts to allocate the same EPC page to two enclaves, the SGX instruction used to perform the allocation will fail.
</p-en>
<p-ch>
	SGX的设计期待系统软件将EPC页分配给飞地。然而，由于系统软件不被信任，SGX处理器检查系统软件分配决定的正确性，并拒绝执行任何会损害SGX安全保证的行动。例如，如果系统软件试图将同一个EPC页分配给两个飞地，用于执行分配的SGX指令将会失败。
</p-ch>
<p-en>
	In order to perform its security checks, SGX records some information about the system software's allocation decisions for each EPC page in the Enclave Page Cache Map (EPCM). The EPCM is an array with one entry per EPC page, so computing the address of a page's EPCM entry only requires a bitwise shift operation and an addition.
</p-en>
<p-ch>
	为了进行安全检查，SGX在Enclave Page Cache Map（EPCM）中记录了一些关于系统软件对每个EPC页的分配决定的信息。EPCM是一个数组，每个EPC页有一个条目，所以计算一个页的EPCM条目的地址只需要一个位移操作和一个加法。
</p-ch>
<p-en>
	The EPCM's contents is only used by SGX's security checks. Under normal operation, the EPCM does not generate any software-visible behavior, and enclave authors and system software developers can mostly ignore it. Therefore, the SDM only describes the EPCM at a very high level, listing the information contained within and noting that the EPCM is “trusted memory”. The SDM does not disclose the storage medium or memory layout used by the EPCM.
</p-en>
<p-ch>
	EPCM的内容只被SGX的安全检查所使用。在正常操作下，EPCM不会产生任何软件可见的行为，飞地作者和系统软件开发者大多可以忽略它。因此，SDM只在很高的层次上描述了EPCM，列出了其中包含的信息，并指出EPCM是 "可信的内存"。SDM并没有披露EPCM所使用的存储介质或内存布局。
</p-ch>
<p-en>
	The EPCM uses the information in Table 13 to track the ownership of each EPC page. We defer a full discussion of the EPCM to a later section, because its contents is intimately coupled with all of SGX's features, which will be described over the next few sections.
</p-en>
<p-ch>
	EPCM使用表13中的信息来跟踪每个EPC页面的所有权。我们将对EPCM的全面讨论推迟到后面一节，因为它的内容与SGX的所有功能密切相关，这些功能将在接下来的几节中描述。
</p-ch>
<img src="table.13.jpg" alt="">
<p-en>
	Table 13: The fields in an EPCM entry that track the ownership of pages.
</p-en>
<p-ch>
	表13：EPCM条目中跟踪页面所有权的字段。
</p-ch>
<p-en>
	The SGX instructions that allocate an EPC page set the VALID bit of the corresponding EPCM entry to 1, and refuse to operate on EPC pages whose VALID bit is already set.
</p-en>
<p-ch>
	分配EPC页的SGX指令将相应EPCM条目的VALID位设置为1，并拒绝对VALID位已经设置的EPC页进行操作。
</p-ch>
<p-en>
	The instruction used to allocate an EPC page also determines the page's intended usage, which is recorded in the page type (PT) field of the corresponding EPCM entry. The pages that store an enclave's code and data are considered to have a regular type (PT REG in the SDM). The pages dedicated to the storage of SGX's supporting data structures are tagged with special types. For example, the PT SECS type identifies pages that hold SGX Enclave Control Structures, which will be described in the following section. The other EPC page types will be described in future sections.
</p-en>
<p-ch>
	用于分配EPC页的指令也决定了该页的预期用途，它被记录在相应EPCM条目的页面类型（PT）字段中。存储飞地代码和数据的页面被认为具有常规类型（SDM中的PT REG）。专门用于存储SGX的支持数据结构的页面被标记为特殊类型。例如，PT SECS类型标识了保存SGX Enclave控制结构的页面，这将在下一节中描述。其他EPC页面类型将在未来的章节中描述。
</p-ch>
<p-en>
	Last, a page's EPCM entry also identifies the enclave that owns the EPC page. This information is used by the mechanisms that enforce SGX's isolation guarantees to prevent an enclave from accessing another enclave's private information. As the EPCM identifies a single owning enclave for each EPC page, it is impossible for enclaves to communicate via shared memory using EPC pages. Fortunately, enclaves can share untrusted nonEPC memory, as will be discussed in x 5.2.3.
</p-en>
<p-ch>
	最后，一个页面的EPCM条目还标识了拥有EPC页面的飞地。这一信息被执行SGX隔离保证的机制所使用，以防止一个飞地访问另一个飞地的私人信息。由于EPCM为每个EPC页确定了一个拥有的飞地，飞地不可能通过共享内存使用EPC页进行通信。幸运的是，飞地可以共享不受信任的非EPC内存，这将在x 5.2.3讨论。
</p-ch>
<subsection-title-en>5.1.3 The SGX Enclave Control Structure (SECS)</subsection-title-en>
<subsection-title-ch>5.1.3 SGX飞地控制结构(SECS)</subsection-title-ch>

<p-en>
	SGX stores per-enclave metadata in a SGX Enclave Control Structure (SECS) associated with each enclave. Each SECS is stored in a dedicated EPC page with the page type PT SECS. These pages are not intended to be mapped into any enclave's address space, and are exclusively used by the CPU's SGX implementation.
</p-en>
<p-ch>
	SGX在与每个飞地相关的SGX飞地控制结构（SECS）中存储每个飞地的元数据。每个SECS被存储在一个专用的EPC页面中，页面类型为PT SECS。这些页面不打算被映射到任何 "飞地 "的地址空间中，而是由CPU的SGX实现专门使用。
</p-ch>
<p-en>
	An enclave's identity is almost synonymous to its SECS. The first step in bringing an enclave to life allocates an EPC page to serve as the enclave's SECS, and the last step in destroying an enclave deallocates the page holding its SECS. The EPCM entry field identifying the enclave that owns an EPC page points to the enclave's SECS. The system software uses the virtual address of an enclave's SECS to identify the enclave when invoking SGX instructions.
</p-en>
<p-ch>
	一个飞地的身份几乎与它的SECS同义。使 "飞地 "复活的第一步是分配一个EPC页作为 "飞地 "的SECS，而摧毁 "飞地 "的最后一步则是取消分配持有其SECS的页面。识别拥有EPC页的飞地的EPCM入口字段指向飞地的SECS。系统软件在调用SGX指令时使用飞地的SECS的虚拟地址来识别飞地。
</p-ch>
<p-en>
	All SGX instructions take virtual addresses as their inputs. Given that SGX instructions use SECS addresses to identify enclaves, the system software must create entries in its page tables pointing to the SECS of the enclaves it manages. However, the system software cannot access any SECS page, as these pages are stored in the PRM. SECS pages are not intended to be mapped inside their enclaves' virtual address spaces, and SGX-enabled processors explicitly prevent enclave code from accessing SECS pages.
</p-en>
<p-ch>
	所有的SGX指令都将虚拟地址作为其输入。鉴于SGX指令使用SECS地址来识别飞地，系统软件必须在其页表中创建指向它所管理的飞地SECS的条目。然而，系统软件不能访问任何SECS页面，因为这些页面被存储在PRM中。SECS页不打算被映射到其飞地的虚拟地址空间内，支持SGX的处理器明确地阻止飞地代码访问SECS页。
</p-ch>
<p-en>
	This seemingly arbitrary limitation is in place so that the SGX implementation can store sensitive information in the SECS, and be able to assume that no potentially malicious software will access that information. For example, the SDM states that each enclave's measurement is stored in its SECS. If software would be able to modify an enclave's measurement, SGX's software attestation scheme would provide no security assurances.
</p-en>
<p-ch>
	这种看似武断的限制是为了让SGX的实施能够在SECS中存储敏感信息，并能够假设没有潜在的恶意软件会访问这些信息。例如，SDM指出，每个 "飞地 "的测量值都存储在其SECS中。如果软件能够修改 "飞地 "的测量值，SGX的软件认证方案将无法提供安全保证。
</p-ch>
<p-en>
	The SECS is strongly coupled with many of SGX's features. Therefore, the pieces of information that make up the SECS will be gradually introduced as the different aspects of SGX are described.
</p-en>
<p-ch>
	SECS与SGX的许多功能紧密相连。因此，随着对SGX不同方面的描述，构成SECS的信息片段将被逐步介绍。
</p-ch>
<p-en>
	
</p-en>
<p-ch>
	
</p-ch>
<p-en>
	
</p-en>
<p-ch>
	
</p-ch>
<p-en>
	
</p-en>
<p-ch>
	
</p-ch>
<p-en>
	
</p-en>
<p-ch>
	
</p-ch>
<p-en>
	
</p-en>
<p-ch>
	
</p-ch>
<p-en>
	
</p-en>
<p-ch>
	
</p-ch>
<p-en>
	
</p-en>
<p-ch>
	
</p-ch>
<p-en>
	
</p-en>
<p-ch>
	
</p-ch>
<p-en>
	
</p-en>
<p-ch>
	
</p-ch>
<p-en>
	
</p-en>
<p-ch>
	
</p-ch>
<p-en>
	
</p-en>
<p-ch>
	
</p-ch>
<p-en>
	
</p-en>
<p-ch>
	
</p-ch>
<p-en>
	
</p-en>
<p-ch>
	
</p-ch>
<p-en>
	
</p-en>
<p-ch>
	
</p-ch>
<p-en>
	
</p-en>
<p-ch>
	
</p-ch>
<p-en>
	
</p-en>
<p-ch>
	
</p-ch>
<p-en>
	
</p-en>
<p-ch>
	
</p-ch>
<p-en>
	
</p-en>
<p-ch>
	
</p-ch>

</body>
</html>	